What is Penetration Test? What Are Penetration Test Phases?

Modern days IT needs are changed according to 80’s and 90’s. In the old days just operating IT was enough for success but today’s situation it is changed. We need to secure the IT environment to in order to be successful. There are different methodologies, standard, architectures to design, plan, implement, evolve the security of the corporates. Penetration tests provide very useful input and metrics for different type of the practical security issues and vulnerabilities.

What is Penetration Test?

As the name suggest this type of security test is used to penetrate into systems, applications, networks, information, corporates etc. (put here whatever you want) to implement real world cyber attacks.Penetration test is know as Pentest. Penetration test may have different attributes according t different factors. We will look some of them below.

Aim

Aim is very important aspect of the Penetration test. The whole penetration test attributes like type, scope, implementation, tools, report, … are selected according to the aim. As an example we may want to test our external web applications and related network infrastructure for internal and contractor related vulnerabilities. This will mainly changes the attributes of the penetration test.

Types/Methodologies

There are 3 most known and used type of Penetration test.

Black Box penetration test is done where Penetration testers do not know any specific information about scope. They have very little information.

Gray Box penetration test is done with more information about scope and related IT systems. But this information is not complete as White Box.

While Box test is done with a lot of information known by pentesters. They generally skip reconnaissance step of the penetration test

Scope

Scope is another important aspect of the penetration test. Scope draws or sets the boundaries of the test. Scope is also important factor to decide the penetration test value. Scope is generally defined as following metrics

IP address,

System counts,

Applications interface count

Applications source code count

Wireless SSID count

Social Engineering mail receiver count

End User System count

…

Implementation

.There are 4 steps for a penetration test. But keep in mind that penetration tests do not have very formal structure so these steps can be implemented in different times and phases

Reconnaissance

Thread Modelling

Exploit

Post Exploit

Tools

There are may tools to use in penetration tests but some of them very popular in hacker and penetration tester community. These tools are used to implement phases Reconnaissance, Exploit and Port Exploit. Here are some of them

Kali

nmap

sqlmap

hydra

metasploit

acunetix

Linux tools

w3af

Burp suite

Report

A penetration test report provides useful information about the findings of penetration test. All the penetration test outcome is putted in the report. So good penetration test are expressed with good penetration test reports, if not the penetration test feasibility lowers and the gain will be less then the expected.